webMethods.io API Gateway: Securing APIs using SSL Certificate

Introduction

This article explains about how to secure API’s using the SSL certificate.

Audience

It is assumed that readers of this article know how to setup API’s on API gateway.

Prerequisites            

  • Configure the API at the API gateway.
  • Create an Application and associate API with the application.
  • Refer the link to create an API  

         https://github.com/SoftwareAG/webmethods-api-gateway    

  • In this case, API is configured at API gateway “b2binboundchannel”
  • SSL certificate and private key

        

     

Configure Certificate at nginx

  • Since API Gateway is layered with nginx, therefore certificate needs to be configured at nginx level also.

Verify Ciphers

 

  • Validate the SSL ciphers configured at API GW and at the partner side.
  •  At both ends, the cipher should match for a successful transaction.

      

Configure Certificate at API Gateway

  • Log in to the API gateway

     

     

  • Create the application at API Gateway

          

            

      

  • Import the public certificate
  • In this case, self-signed certificate is uploaded in the application.

     

    

             

     

Configure the policy

  • Open the API
  • Navigate to policies.

      

      

  • Click on Identify & Access policy.

                 

          

  • Select Identify & Authorize Application.
  • Select SSL Certificate and select the registered application from application lookup drop-down menu. 

           

                        

            

                 

Test Using Postman Client                       

  • Configure the certificates at the postman client.

         

         

      

Verify the logs at API Gateway

  • Navigate to API gateway
  • Open API, in this case, it is b2binboundchannel
  • Navigate to Analytics tab
  • In the transaction log there will be certificate details, which were sent along with the request.

                

       Note: Attaching the self-signed certificates used for this case

     

   

Certificates.zip (2.55 KB)